Hacking Switch Cartridge - Reverse Engineering

smiba

Member
OP
Newcomer
Joined
Mar 11, 2017
Messages
22
Trophies
0
XP
220
Country
Netherlands
As promised, the pinout and high quality pictures of the PCB

For me it looks like a normal NAND chip, however it seems to have a rather odd pinout, that does not match regular TSOP48 NAND chips. It most likely is a 8-bit channel NAND chip though, which should be readable

(Oh, and the capacitors are 0.2 and 0.1uF. Top to bottom: 0.2uF, 0.1uF, 0.2uF, 0.1uF)

5PFpEgV.jpg


-----

Pinouts!

(Blank pins are not connected to anything)



To me it looks like Pink is VCC and Dark Blue is GND, but I can't be 100% sure.

-----

I won't continue with any kind of reverse engineering, but I hope this pinout helped
 
Last edited by smiba,
K

KingpinSlim

Guest
I don't really think it would be all that challenging to develop a Switch flashcart that offers more features than a real cartridge.

What i worry about is, how can you improve on the flavor?
The original is already quite pungent, but could you somehow make it even stronger?

These thoughts keep me up at night.
 

smiba

Member
OP
Newcomer
Joined
Mar 11, 2017
Messages
22
Trophies
0
XP
220
Country
Netherlands
I don't really think it would be all that challenging to develop a Switch flashcart that offers more features than a real cartridge.

Well, thats where you're wrong haha. There is a lot that needs to happen and to be figured out before one can develop a flashcart.

This is just the first, get to know what you're copying before you're going to copy it. I highly doubt flashcarts will be available in the next 12 months
 

xile6

Well-Known Member
Member
Joined
Jan 15, 2006
Messages
1,219
Trophies
0
XP
719
Country
United States
hum maybe thats why my zelda makes noise when i shake it lol.

I think it will be a bit hard to dump these games. Seems like there might be alot of different type of chips in them
 
  • Like
Reactions: Deleted User

Dark-Sider

Active Member
Newcomer
Joined
Jul 17, 2009
Messages
27
Trophies
0
XP
184
Country
Gambia, The
I would assume the following things:
a) the Chip hase some kind of CPU-Protection (like a SIM-Card or pay-tv card) only giving away its contents after being challenged with the right secret.

b) Dumping the contents bye tapping into an "unlocked" chip after inserting it into the console wouldn't do anything good, because the switch will be looking for the CPU on the flash cart confirming its authenticity. Dumping the CPU-Microcode of those devices is proven to be hard but not impossible.
 
K

KingpinSlim

Guest
Well, thats where you're wrong haha. There is a lot that needs to happen and to be figured out before one can develop a flashcart.

This is just the first, get to know what you're copying before you're going to copy it. I highly doubt flashcarts will be available in the next 12 months
I don't know anything about the engineering-work behind it, but i can tell you one thing.

Use Bitrex. Easily available and a fairly superior bittering agent compared to the weak stuff Nintendo uses.
 

EpicLPer

Nice unless you give me a reason to hate you ;)
Member
Joined
Mar 13, 2015
Messages
1,056
Trophies
0
Age
26
Location
Austria
Website
epiclper.com
XP
1,111
Country
Austria
I would assume the following things:
a) the Chip hase some kind of CPU-Protection (like a SIM-Card or pay-tv card) only giving away its contents after being challenged with the right secret.

b) Dumping the contents bye tapping into an "unlocked" chip after inserting it into the console wouldn't do anything good, because the switch will be looking for the CPU on the flash cart confirming its authenticity. Dumping the CPU-Microcode of those devices is proven to be hard but not impossible.
I doubt they went trough all this trouble after doing stuff like including partition names into the flash storage of the Switch lol
 

smiba

Member
OP
Newcomer
Joined
Mar 11, 2017
Messages
22
Trophies
0
XP
220
Country
Netherlands
I would assume the following things:
a) the Chip hase some kind of CPU-Protection (like a SIM-Card or pay-tv card) only giving away its contents after being challenged with the right secret.

b) Dumping the contents bye tapping into an "unlocked" chip after inserting it into the console wouldn't do anything good, because the switch will be looking for the CPU on the flash cart confirming its authenticity. Dumping the CPU-Microcode of those devices is proven to be hard but not impossible.

I don't think this is the case, but I guess time will tell. Adding CPU-Protection and stuff really adds up on production costs when you make millions of them.

Impossible? No, definitely not.
Unlikely? Yes.

Anyways right now I'm probably going to design a PCB for the switch where I can solder a bunch of wires on to debug anything thats happening on there, sounds like the most flexible solution on getting to know the cartridge a bit better
 
  • Like
Reactions: DoJo_Master

Dark-Sider

Active Member
Newcomer
Joined
Jul 17, 2009
Messages
27
Trophies
0
XP
184
Country
Gambia, The
I doubt they went trough all this trouble after doing stuff like including partition names into the flash storage of the Switch lol

That's just basic security 101. The interesting partitions on the switch's flash are encrypted and protected bye a secure area inside the cpu. Dumping a flash is something you take for granted today. Just look at all those mobile phone chip-off forensic kits that are out there.

I would put my ass on the line that the flash-cart and the switch do some kind of mutual authorization checks before any accepts the other one. Otherwise we would be in the era of GB or NES security ;-)

If the switch flash cart would only by some kind of flash-memory, the appearance of sky-3ds-style carts would only be a matter of weeks - months tops.

I'm not that deep into the 3ds flash cart security but I'd guess that emulating a 3ds flash cart was only possible after the initial 3ds firmware breach, so an emulation to the 3ds-cart-security could be developed.

But it's always the same (as it is with PayTV) once you give your "secret" into customer's hand they will "hack" it sooner or later.

bye
Darky
 
Last edited by Dark-Sider,
  • Like
Reactions: DayVeeBoi

smiba

Member
OP
Newcomer
Joined
Mar 11, 2017
Messages
22
Trophies
0
XP
220
Country
Netherlands
That's just basic security 101. The interesting partitions on the switch's flash are encrypted and protected bye a secure area inside the cpu. Dumping a flash is something you take for granted today. Just look at all those mobile phone chip-off forensic kits that are out there.

Mobile phones just use normal NAND or eMMC memory, there is nothing special about it. Difference is that they often have parts on the drives that the system marked as removed but aren't actually erased yet. Some forensic kits make use of this to recover removed data
Also most phones are encrypted, but for this it doesn't matter if the cartridge is encrypted. The final goal is to copy it, not to modify it.

If the switch flash cart would only by some kind of flash-memory, the appearance of sky-3ds-style carts would only be a matter of weeks - months tops.

The hardest part is developing like a GUI, because for this you would need to be able to run unsigned code. The Switch doesn't just accept any kind of code on the cartridge (Most likely), it would need to be signed by Nintendo.
Copying cartridges has always been done in just months, making a flash cart that noobs can use is the part that takes the longest ;)
 

Dark-Sider

Active Member
Newcomer
Joined
Jul 17, 2009
Messages
27
Trophies
0
XP
184
Country
Gambia, The
Mobile phones just use normal NAND or eMMC memory, there is nothing special about it. Difference is that they often have parts on the drives that the system marked as removed but aren't actually erased yet. Some forensic kits make use of this to recover removed data
Also most phones are encrypted, but for this it doesn't matter if the cartridge is encrypted. The final goal is to copy it, not to modify it.
I know my fair share of mobile forensics and chip off since this part of my line of work (no not for .gov). What I wanted to say was, that dumping a soldered NAND chip was way more difficult a few years ago than it is now - with plug-and-play solutions all over the place. Right now dumping a flash chip is basically as easy as extracting a SATA-HDD and creating a physical copy - as long as you have the right tools readily available.

So if I was a developer I would assume that my NAND contents would be dumped on day1 if not day0. So this can't be a valid thing my strategy keeping my device secure.

To just go back to smartphones: Chip-Off was primarily used to circumvent PIN or Patternlocks on unencrypted devices. Devices that use strong passwords with state of the art encryption - you'll just find "random" data on the NAND (maybe except the phone-os-partition and sometimes the emulated SD-Card)

My reply was also not about the flash card but on EpicLPer's statement about the switch NAND being dumped and having partiton names in it. Again good security comes not from hiding anything but making it nearly impossible to break it even when you exactly know how it works.


The hardest part is developingng like a GUI, because for this you would need to be able to run unsigned code. The Switch doesn't just accept any kind of code on the cartridge (Most likely), it would need to be signed by Nintendo.
Copying cartridges has always been done in just months, making a flash cart that noobs can use is the part that takes the longest ;)

I also now my fair share about code signing and modern security architectures. So GUIs like we had on GBA or DS flash carts won't be available any time soon (I guess). Having a cart that would just behave like a sky3ds would sell like hell. So if it could be done it will be done. The main goal of those carts is piracy - and getting unsigned / self signed code running on the system to display your own GUIs - at this point the switch would be hacked wide open so carts would be obsolete again.

My guess is that even providing a 1:1 copy of a flash cart is more difficult then getting some kind of code execution on the switch itself.

Another guess will be that the communication between the cart and the switch will be encrypted as well.

Was there really a 1:1 copy of a 3ds game just months after the release? I always thought the first team that accomplished this was sky3ds. The other carts like Gateway relied on firmware bugs / exploits...

However, keep up your good and contributing work - I'm very curious what your findings will be!

bye,
Darky
 
Last edited by Dark-Sider,
  • Like
Reactions: pelago

smiba

Member
OP
Newcomer
Joined
Mar 11, 2017
Messages
22
Trophies
0
XP
220
Country
Netherlands
Was there really a 1:1 copy of a 3ds game just months after the release? I always thought the first team that accomplished this was sky3ds. The other carts like Gateway relied on firmware bugs / exploits...

.3ds roms were online way before anyone made an emulator or working flash cart, dumping is easier then getting them to run again.

However, keep up your good and contributing work - I'm very curious what your findings will be!

bye,
Darky

Thanks for your comment and I'll keep everyone posted

Amazing work!

Thanks!
 
General chit-chat
Help Users
    kenenthk tempBOT: @ kenenthk tempbot cheats